How to outsmart the smart city

With the release of IBM’s The Dangers of Smart City Hacking White Paper, IBM X-Force Red’s Research Director Daniel Cowley provides a fascinating insight into a topic that is becoming increasingly and worryingly “hot”

Today’s digital world has created new ways to keep us all informed and safe while automating our daily lives. Our phones send us alerts about weather hazards, traffic issues and lost children. We trust these systems since we have no reason not to — but that trust has been tested before. For a tense 38 minutes in January 2018, residents of Hawaii saw the following civil alert message on their mobile devices: “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.”

This false alarm was eventually attributed to human error, but what if someone intentionally caused panic using these types of systems?

Smart City View
This incident in Hawaii was part of what motivated our team of researchers from Threatcare and IBM X-Force Red to join forces and test several smart city devices, with the specific goal of investigating “supervillain-level” attacks from afar. We found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical in severity. While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment.

So, what do smart city systems do? There are a number of different functions that smart city technology can perform — from detecting and attempting to mitigate traffic congestion to disaster detection and response to remote control of industry and public utilities.

The devices we tested fall into three categories: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). They communicate via Wi-Fi, 4G cellular, ZigBee and other communication protocols and platforms. Data generated by these systems and their sensors is fed into interfaces that tell us things about the state of our cities — like that the water level at the dam is getting too high, the radiation levels near the nuclear power plant are safe or the traffic on the highway is not too bad today.

Smart City Vulnerable
Earlier this year, our team tested smart city systems from Libelium, Echelon and Battelle. Libelium is a manufacturer of hardware for wireless sensor networks. Echelon sells industrial IoT, embedded and building applications and manufacturing devices like networked lighting controls. Battelle is a nonprofit that develops and commercializes technology.

When we found vulnerabilities in the products these vendors produce, our team disclosed them to the vendors. All the vendors were responsive and have since issued patches and software updates to address the flaws we’ll detail here.

After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer.

Once we located an exposed device using some standard internet searches, we were able to determine in some instances who purchased the devices and, most importantly, what they were using the devices for. We found a European country using vulnerable devices for radiation detection and a major U.S. city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.

Smart City Scare
Now, here’s where “panic attacks” could become a real threat. According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic. While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the U.S., Europe and elsewhere.

Here are some examples we found disturbing:
• Flood warnings (or lack thereof): Attackers could manipulate water level sensor responses to report flooding in an area where there is none — creating panic, evacuations and destabilization. Conversely, attackers could silence flood sensors to prevent warning of an actual flood event, whether caused by natural means or in combination with the destruction of a dam or water reservoir.
• Radiation alarms: Similar to the flood scenario, attackers could trigger a radiation leak warning in the area surrounding a nuclear power plant without any actual imminent danger. The resulting panic among civilians would be heightened due to the relatively invisible nature of radiation and the difficulty in confirming danger.
• General chaos (via traffic, gunshot reports, building alarms, emergency alarms, etc.): Pick your favorite crime action movie from the last few years, and there’s a good chance that some hacker magically controls traffic signals and reroutes vehicles. While they’re usually shown hacking into “metro traffic control” or similar systems, things in the real world can be even less complicated. If one could control a few square blocks worth of remote traffic sensors, they could create a similar gridlock effect as seen in the movies. Those gridlocks typically show up when criminals needed a few extra minutes to evade the cops or hope to send them on a wild goose chase. Controlling additional systems could enable an attacker to set off a string of building alarms or trigger gunshot sounds on audio sensors across town, further fueling panic.

In summary, the effects of vulnerable smart city devices are no laughing matter, and security around these sensors and controls must be a lot more stringent to prevent scenarios like the few we described.

Members of IBM X-Force Red, a team of seasoned hackers, testing for security issues in consumer electronics at a new secure testing facility in Austin, TX, Monday, August 6, 2018. In the Lab, the team will search for vulnerabilities in consumer and industrial IoT technologies, automotive equipment, ATMs and other systems before and after they are put into market. The Austin facility is one of four X-Force Red Labs, announced today by IBM Security. The other X-Force Red Labs will be located in Atlanta, GA, Hursley, UK and Melbourne, Australia. (Feature Photo Service)

The Vulnerabilities
IBM X-Force Red and Threatcare have so far discovered and disclosed 17 vulnerabilities in four smart city systems from three different vendors. The vulnerabilities are listed below in order of criticality for each vendor we tested:

The Fixes
Smart city technology spending is anticipated to hit $80 billion this year and grow to $135 billion by 2021. As smart cities become more common, the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start.

In light of our findings, here are some recommendations to help secure smart city systems:
• Implement IP address restrictions to connect to the smart city systems;
• Leverage basic application scanning tools that can help identify simple flaws;
• Safer password and API key practices can go a long way in preventing an attack;
• Take advantage of security incident and event management (SIEM) tools to identify suspicious traffic; and
• Hire “hackers” to test systems for software and hardware vulnerabilities. There are teams of security professionals — such as IBM X-Force Red — that are trained to “think like a hacker” and find the flaws in systems before the bad guys do.

To download IBM’s The Dangers of Smart City Hacking as a PDF, click HERE

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.